Authentication mechanisms include one or more authentication factors to control access to secured services. An authentication mechanism may require a knowledge factor (e.g., a username and a password), an ownership factor (e.g., a hardware security token), an inherence factor (e.g., a biometric identifier such as a fingerprint), or combinations thereof. The first of these is commonly referred to as Proof of Knowledge (PoK).
Authentication based on PoK includes a provisioning phase (e.g., enrollment) to define user knowledge, and a use phase to authenticate a user that proves that knowledge. The current paradigm for authentication based on PoK is the verification of an identity with a username and password. However, there are improved mechanisms for proofs of knowledge. One such improved mechanism involves the use of picture passwords that supplement or replace textual passwords, and prove that a user has knowledge of a combination of input actions together with a known image such as, for example, a still picture, a motion picture with or without sound, or a photograph. Another improved mechanism involves the use of cognitive tests, and prove that a user has a certain knowledge and/or cognitive ability. These improved mechanisms generally require two components for the PoK: (1) the test (e.g., the picture for the picture password, a cognitive testing question, etc.) and (2) the answer for the test (e.g., the input actions for the picture password, the answer to the cognitive testing question, etc.).
While PoK mechanisms are effective for authenticating users for access to secured services, they are not very secure or private. Typically, the entity controlling access to the secure services, i.e. the Relying Party (RP), has knowledge of all of the components required for the authentication, such as the username, password, picture, picture password, cognitive test, and answer to the cognitive test.
New systems have emerged to address the issue of security and privacy. One such system is taught in the commonly owned and assigned International Application No. PCT/US14/32342 entitled “METHOD AND SYSTEM OF PROVIDING A PICTURE PASSWORD PROOF OF KNOWLEDGE AS A WEB SERVICE,” which is incorporated herein by reference in its entirety. The system disclosed therein uses a PoK service that is separate from that of a RP. The PoK service authenticates a user on behalf of the RP. In this system, the RP knows the username but not the password, and the PoK service knows the password but not the username. Security and privacy are improved by fragmenting the knowledge required for authentication between the PoK service and the RP. No single entity, except for the user, would possess sufficient knowledge to access secured services administered by the RP.
While these new systems that separate username and password improve security and privacy, the PoK service still has the knowledge required for authentication (e.g., the PoK test and corresponding answer) RP. This increases the risk that a third party can obtain and misuse the PoK testing information in a manner that is detrimental to the user. As such, a need exists to further improve the security and privacy in authentication mechanisms by ensuring that knowledge required for authentication (e.g., the PoK tests) remains private and unavailable to parties other than the user of a client device.